Anonymize data samples to send to Support

Splunk Enterprise has a few methods to anonymize data in files you send to Support. This lets Splunk Enterprise users share log data without revealing confidential or personal information from their networks.

Diag by default removes some types of sensitive information from search strings in diag files. Read about configuring search string redaction in server.conf.spec.

The anonymize function combs through sample log files or event files to replace identifying data - like usernames, IP addresses, domain names - with fictional values that maintain the same word length and event type. For example, it might turn the string user=carol@adalberto.com into user=plums@wonderful.com.

The anonymized file is written to the same directory as the source file, with ANON- prepended to its filename. For example, /tmp/messages will be anonymized as /tmp/ANON-messages. In Windows, a file \temp\messages becomes \temp\ANON-messages.

Anonymize is controlled from the Splunk Enterprise CLI. See About the CLI for instructions on accessing the Splunk Enterprise CLI.

Simple method

The easiest way to anonymize a file is with the anonymizer tool's defaults, as shown in the session below.

From the CLI while you are in $SPLUNK_HOME/bin or %SPLUNK_HOME%\bin, type the following:

Unix/Linux

Windows

./splunk anonymize file -source </path/to/filename>

.\splunk anonymize file -source <\path\to\filename>

It is good practice to copy the file somewhere safe (like /tmp or \temp) before performing this command.

A global list of common English personal names that Splunk software uses to replace anonymized words.

Anonymize always replaces a word with a name of the exact same length, to keep each event's data pattern the same.

Anonymize uses each name in name_terms once to replace a character string of equal length throughout the file. After it runs out of names, it begins using randomized character strings, but still mapping each replaced pattern to one anonymized string.

A report of terms found in the file that, based on their appearance and frequency, you may want to add to public_terms.txt or to private-terms.txt or to public-terms.txt for more accurate anonymization of your local data.

Anonymize data samples to send to Support

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »